Monday, 9 January 2012

Enumerating Low Integrity Level Accessible Objects on Windows

Much has been written about the integrity levels introduced by Microsoft in Windows Vista and subsequently used in Windows 7 and Windows Server 2008. Some good background reading on the subject is:
So what's the purpose of this post you may ask? Well we needed a quick way to enumerate what aspects of the system were accessible from low integrity processes on Microsoft Windows to aid with the SDL verification phase. So we wrote a small utility to do exactly that. It enumerates different objects and looks for the mandatory label and low integrity. Currently the tool enumerates the following aspects:
  • File system
  • Registry
  • Objects
  • Named pipes
The way we implemented it was as follows. First enumerate the objects (via their respective mechanisms) and then secondly call on each, the following the functions:
The snippet of the code that does all the above can be seen below:

Click for a larger version
The following is an example of the output returned when the tool is executed:
[*] Low integrity accessible - (c)2012 Recx Ltd
[i] Low accessible object       \\.\TPPWRIF (Device)
[i] Low accessible object       \\.\Shockpf0 (Device)
[i] Low accessible object       \\.\NPF_{17575D38-0CE7-4CEE-B3E2-1B5AD8CF1731} (Device)
[i] Low accessible named pipe   \\.\Pipe\wkssvc
[i] Low accessible named pipe   \\.\Pipe\srvsvc
[i] Low accessible named pipe   \\.\Pipe\GoogleCrashServices\S-1-5-21-3594361658-2603294332-2943340413-1001
If you're interested in using the utility it can be downloaded in binary form from here. The tool has been statically compiled with the CRT so you wont need to have the correct re-distributable installed for it to work. 

Before posting we checked with Tom Keetch to see if we was aware of any other tools that would do something similar as we didn't want to waste peoples time. Tom pointed out that AccessChk from Windows Sysinternals can be used to do something similar with the -w -e command line options but won't specifically filter out just the low integrity covered objects (accepted that you could do some grep-foo to post process the output).
C:\>accesschk.exe -w -e c:\data\tmp
Accesschk v5.02 - Reports effective permissions for securable objects
Copyright (C) 2006-2011 Mark Russinovich
Sysinternals -
  Low Mandatory Level [No-Write-Up]
  RW BUILTIN\Administrators
  RW NT AUTHORITY\Authenticated Users
Tom also mentioned that the Attack Surface Analyzer from Microsoft may also flag low integrity accessible objects. The downside of Attack Surface Analyzer is it needs to be run before and after product installation so may be a little too cumbersome in some situations and specifically if you've been given an installed box to assess.

Anyway we hope you find the tool useful and if you have any feedback, bugs or omissions please do get in touch.

No comments:

Post a Comment